On the 26th of April, 2024, the National Data Protection Authority (ANPD) announced the issuance of its Security Incident Communication Regulation.
This document is designed to provide explicit guidelines for reporting security breaches. Highlighted below are the main aspects regulated by the ANPD and the relevant updates since the last version:
- Definition of security breach.
- Criteria for reporting an incident, now incorporating new elements such as the category of “data protected by legal, judicial, or professional secrecy” as a risk factor.
- Notification timeframe of three (3) business days for reporting a breach, once the data controller is aware that personal data has been compromised.
- Twenty business day for supplementary notification with additional information, if necessary, starting from the date of the initial report.
- Small-sized enterprises have an extended deadline equivalent to two times the standard timeframe.
- Methods of notification, which must be executed via a specific channel.
- The process related to the notified breach may terminate based on certain criteria, including, now, when the processing agent has implemented measures to reverse or mitigate the impacts of the breach.
For more information, access our infographic with an in-depth analysis of the critical elements outlined in the ANPD’s new Regulation.
